b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       Project Delays Prevent\n       EPA from Implementing an\n       Agency-wide Information Security\n       Vulnerability Management Program\n\n       Report No. 09-P-0240\n\n       September 21, 2009\n\x0cReport Contributors:                           Rudolph M. Brevard\n                                               Charles M. Dade\n                                               Jefferson Gilkeson\n                                               Teresa Richardson\n                                               Cory Costango\n                                               Scott Sammons\n\n\n\n\nAbbreviations\n\nASSERT       Automated Security Self-Evaluation and Remediation Tracking\nBRAINS       Billing and Reimbursable Accounting Network System\nEPA          U.S. Environmental Protection Agency\nIT           Information Technology\nmLINQS       Relocation Expense Management System\nNIST         National Institute of Standards and Technology\nNTSD         National Technology Services Division\nOARM         Office of Administration and Resources Management\nOCFO         Office of the Chief Financial Officer\nOEI          Office of Environmental Information\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nPOA&Ms       Plans of Action and Milestones\nVMP          Vulnerability Management Program\n\x0c                       U.S. Environmental Protection Agency                                                  09-P-0240\n                                                                                                     September 21, 2009\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                             Catalyst for Improving the Environment\n\n\nWhy We Did This Review             Project Delays Prevent EPA from Implementing\nThe Office of Inspector            an Agency-wide Information Security\nGeneral (OIG) sought to            Vulnerability Management Program\ndetermine (1) the status of\ncorrective actions related to       What We Found\nagreed-to recommendations\nfor selected information           EPA implemented 56 percent (15 of 27) of the information security audit\nsecurity audit reports, and\n                                   recommendations we reviewed. EPA\xe2\x80\x99s lack of progress on four key audit\n(2) to what extent the U.S.\nEnvironmental Protection           recommendations we made in 2004 and 2005 inhibits EPA from providing an\nAgency (EPA) program               Agency-wide process for security monitoring of its computer network. EPA has\noffices evaluated whether          not established an Agency-wide network security monitoring program because\ncorrective actions taken           EPA did not take alternative action when this project ran into significant delays.\nresolved identified                By not performing this critical function, EPA management lacked information\nweaknesses.                        necessary to respond to known threats against EPA\xe2\x80\x99s network and to mitigate\n                                   vulnerabilities before they can be exploited.\nBackground\n                                   EPA offices do not regularly evaluate the effectiveness of actions taken to correct\nOffice of Management and           identified deficiencies, as required by OMB Circular A-123. EPA is updating its\nBudget (OMB) Circular              audit management and oversight policies; we provided suggestions for\nA-123 requires that EPA            strengthening them.\nmanagers take timely and\neffective action to correct\ndeficiencies identified by a        What We Recommend\nvariety of sources, such as\nOIG audits. OMB Circular           We recommend that the Director of the Office of Technology Operations and\nA-123 also requires                Planning, within the Office of Environmental Information:\nmanagement to show that\ncorrective actions taken             \xe2\x80\xa2   Create Plans of Action and Milestones for each unimplemented audit\nachieve the desired results.             recommendation listed in Appendix B.\nEPA Manual 2750 and EPA\nOrder 1000.24 outline                \xe2\x80\xa2   Update EPA\xe2\x80\x99s Management Audit Tracking System to show the status of\nmanagement\xe2\x80\x99s responsibility              each unimplemented audit recommendation listed in Appendix B.\nfor following up on OIG              \xe2\x80\xa2   Provide EPA program and regional offices with an alternative solution for\nrecommendations.                         vulnerability management, including establishing a centralized oversight\n                                         process to ensure that EPA program and regional offices (a) regularly test\nFor further information, contact         their computer networks for vulnerabilities, and (b) maintain files\nour Office of Congressional,             documenting the mitigation of detected vulnerabilities.\nPublic Affairs and Management\nat (202) 566-2391.                   \xe2\x80\xa2   Establish a workgroup of program and regional EPA information\n                                         technology staff to solicit input on training needs and facilitate rolling out\nTo view the full report,                 the Agency-wide vulnerability management program.\nclick on the following link:\n                                     \xe2\x80\xa2   Issue an updated memorandum discussing guidance and requirements.\nwww.epa.gov/oig/reports/2009/\n20090921-09-P-0240.pdf\n                                   The Agency agreed with all of our findings and recommendations.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n\n                                       September 21, 2009\n\nMEMORANDUM\n\nSUBJECT:               Project Delays Prevent EPA from Implementing an Agency-wide\n                       Information Security Vulnerability Management Program\n                       Report No. 09-P-0240\n\n\nFROM:                  Rudolph M. Brevard\n                       Director, Information Resources Management Assessments\n\nTO:                    Linda A. Travers\n                       Acting Assistant Administrator and Chief Information Officer\n                       Office of Environmental Information\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $475,431.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates. We have no objections to the further release of this report to\nthe public. This report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at 202-566-0893\nor brevard.rudy@epa.gov; or Charles M. Dade, Project Manager, at 202-566-2575 or\ndade.chuck@epa.gov.\n\x0cProject Delays Prevent EPA from Implementing an Agency-wide                                                                    09-P-0240\nInformation Security Vulnerability Management Program\n\n\n\n                                      Table of Contents\n   Purpose........................................................................................................................    1\n\n   Background .................................................................................................................       1\n\n   Noteworthy Achievements .........................................................................................                  1\n\n   Scope and Methodology.............................................................................................                 2\n\n   Other Reporting Matters.............................................................................................               2\n\n   Results of Review .......................................................................................................          3\n\n           Lack of a Vulnerability Management Tool Inhibits EPA\xe2\x80\x99s Ability to\n           Continuously Monitor Its Network Resources ......................................................                         3\n\n           Vulnerability Management Project Needs an Interim Solution and\n           Stakeholder Involvement......................................................................................              4\n\n   Recommendations ......................................................................................................             5\n\n   Agency Comments and OIG Evaluation ...................................................................                            6\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                           7\n\n\n\nAppendices\n   A       Status of Agreed-to Recommendations...........................................................                             8\n\n   B       Status of Unimplemented Recommendations.................................................                                  9\n\n   C       Agency Response to Draft Audit Report..........................................................                           17\n\n   D       Distribution .........................................................................................................    19\n\x0c                                                                                         09-P-0240\n\n\nPurpose\nWe sought to evaluate the implementation and effectiveness of the Agency\xe2\x80\x99s corrective actions\nfor prior information security audit recommendations.\n\nBackground\nImplementing corrective actions to resolve issues is essential to improving the efficiency and\neffectiveness of U.S. Environmental Protection Agency (EPA) operations. Office of\nManagement and Budget (OMB) Circular A-123, Management\xe2\x80\x99s Responsibility for Internal\nControl, requires that managers take timely and effective action to correct issues identified by a\nvariety of sources. Office of Inspector General (OIG) audit reports represent one such source.\nOMB Circular A-123 also requires management to show that corrective actions taken achieve the\ndesired results. It also specifies that the results achieved should be documented in writing.\nFurther, supporting documentation should be available for review. OMB Circular A-123 states\nthat correcting issues is an integral part of management accountability and must be considered a\npriority by the Agency.\n\nEPA has policies to guide managers when implementing audit recommendations. Specifically,\nEPA Manual 2750, EPA Audit Management Process, provides timeframes for audit resolution.\nIt also requires that EPA action officials create systems to ensure that recommendations are\nimplemented. EPA Order 1000.24, Management Integrity, states that weaknesses should be\ncorrected at the organizational level closest to the problem. Further, it states that weaknesses\nshould be dealt with as soon as possible after being identified.\n\nWe chose four audit reports to determine whether the Agency has taken action to correct\ninformation security weaknesses identified in each of them (see Table 1).\n\nTable 1: Prior Audits Reviewed Regarding Information Security Weaknesses\n Report No.            Report Title                                            Date\n 2004-P-00013          EPA\xe2\x80\x99s Administration of Network Firewalls Needs         March 31, 2004\n                       Improvement\n 2005-P-00011          Security Configuration and Monitoring of EPA\xe2\x80\x99s Remote   March 22, 2005\n                       Access Methods Need Improvement\n 2007-P-00007          EPA Could Improve Processes for Managing Contractor     January 11, 2007\n                       Systems and Reporting Incidents\n 08-1-0032             Audit of EPA\xe2\x80\x99s Fiscal 2007 and 2006 (Restated)          November 15, 2007\n                       Consolidated Financial Statements (only reviewed\n                       recommendations made to improve information security)\nSource: OIG analysis\n\n\nNoteworthy Achievements\nEPA has taken steps to strengthen network security by implementing an appliance-based firewall\nserver that meets an industry standard architecture. EPA also updated its incident-reporting\ndirective to include new roles, responsibilities, and standards for centralized incident reporting.\n\n\n                                                    1\n\x0c                                                                                           09-P-0240\n\n\nScope and Methodology\nWe performed our audit from January 2008 to June 2009. We performed this audit in accordance\nwith generally accepted government auditing standards. These standards require that we plan\nand perform the audit to obtain sufficient and appropriate evidence. The evidence is to provide a\nreasonable basis for our findings and conclusions. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions.\n\nWe compared EPA\xe2\x80\x99s written assertions of the status of agreed-to report recommendations with\ndocumentary support of the actions EPA took. We also spoke with EPA and contractor staff in\nthe Office of Environmental Information (OEI) and the Office of Administration and Resources\nManagement (OARM) responsible for implementing and overseeing actions to address the\nrelated audit recommendations. We identified actions EPA still needed to take to fully satisfy\neach recommendation.\n\nWe spoke with EPA and contractor staff in the Office of Air and Radiation, Office of Research\nand Development, OARM, and EPA Regions 4 and 5. We asked about system control\nmonitoring practices of Web-Mail-enabled servers. We asked about practices, methods, and\ntools these sites use to detect and protect their networks against vulnerabilities. During visits to\nEPA regional offices for Regions 4 and 5, we performed vulnerability tests on selected\napplication servers that allow remote access to EPA\xe2\x80\x99s electronic mail system. We provided the\ntest results to the regional staff for resolution. We spoke with OEI and OARM audit follow-up\ncoordinators, as well as EPA line staff who implement corrective actions. These individuals\ndetermine whether their offices have processes in place to evaluate the effectiveness of those\nactions.\n\nOther Reporting Matters\nDuring preliminary research, we issued a memorandum to EPA\xe2\x80\x99s Chief Financial Officer on the\nstatus of actions taken to correct information security weaknesses at the Cincinnati Finance\nCenter. The Office of the Chief Financial Officer (OCFO) took ample steps to correct material\nweaknesses in physical access and environmental controls at the Cincinnati Finance Center.\nHowever, OCFO still needed to do more work to document and test security controls over the\ntwo critical applications at the finance center. The OIG reviewed EPA\xe2\x80\x99s progress in completing\nthese remaining recommendations during the Fiscal Year 2008 financial statement audit. In\nexamining that audit, we found that the Agency made significant progress in completing the\nagreed-to corrective actions, but it still needs to finalize the independent reviews of the two\nfinancial applications and update the applications\xe2\x80\x99 security plans. In addition, the Agency needs\nto test the newly approved contingency plans for these two applications.\n\nAlso during preliminary research, we provided OCFO with written comments directing it to\nstrengthen EPA Manual 2750 and EPA Order 1000.24. We found that EPA needed to update\nEPA Manual 2750 to more clearly assign responsibility for ensuring corrective actions are\neffective and implemented in a timely manner, as required by OMB Circular A-123. We found\nthat internal controls for overseeing corrective actions defined in EPA Order 1000.24 needed\nupdating to specify something to this effect: \xe2\x80\x9cA determination that a weakness has been\n\n\n                                                  2\n\x0c                                                                                        09-P-0240\n\n\ncorrected is made only when management demonstrates that the corrective action taken\neffectively resolved the identified weakness.\xe2\x80\x9d\n\nAppendix A provides the status of agreed-upon recommendations for the four reports we\nreviewed. Appendix B provides information on all open agreed-to recommendations that still\nrequire EPA management action to complete.\n\nResults of Review\nEPA made progress in implementing many of the agreed-upon audit recommendations.\nHowever, more management emphasis is needed to complete a key project that would provide\nEPA offices with the necessary tools to continuously monitor their network resources. In\nparticular, since 2005, EPA has attempted to implement a commercial off-the-shelf network\nvulnerability tool. This tool has the capability to identify and correct commonly known security\nweaknesses. However, project delays have thwarted EPA\xe2\x80\x99s ability to move the project beyond\nthe pilot stage. As a result, EPA regional and program offices are inconsistent in routinely\nmonitoring their networks for common vulnerabilities. Offices that do routinely monitor their\nnetworks for common vulnerabilities use inconsistent methods.\n\nLack of a Vulnerability Management Tool Inhibits EPA\xe2\x80\x99s Ability to\nContinuously Monitor Its Network Resources\n\nEPA has not established an Agency-wide security-monitoring program for its computer network.\nSignificant delays have occurred in completing the information technology (IT) project related to\nthis effort. In our 2004 audit of EPA\xe2\x80\x99s network firewall and our 2005 audit of remote access\nmethods, we recommended that EPA:\n\n   \xe2\x80\xa2   Modify the network vulnerability assessment methodology to include scanning of all\n       firewall components.\n\n   \xe2\x80\xa2   Develop and implement a security-monitoring program that includes testing all servers,\n       and require all system administrators to register their servers with the National\n       Technology Services Division and participate in the security-monitoring program.\n\n   \xe2\x80\xa2   Expand the Agency\xe2\x80\x99s security-monitoring program to include using a variety of network\n       vulnerability scanning tools to monitor registered servers.\n\n   \xe2\x80\xa2   Establish and implement a process to ensure program and regional offices conduct\n       regular security monitoring that includes vulnerability scanning.\n\nCompleting these recommendations called for EPA to implement a vulnerability management\nprogram (VMP). In July 2005, EPA began to establish the program. Yet, more than 3 years\nlater, EPA is still evaluating a vulnerability management tool. The Research Triangle Park\ncampus and an EPA region served as the two pilot sites for testing the selected tool. OEI staff\nmentioned that it is necessary to automate both the vulnerability detection and remediation\nprocesses before rolling out the vulnerability management tool for EPA locations to use.\n\n\n                                                3\n\x0c                                                                                        09-P-0240\n\n\nAutomating only the detection process would overwhelm EPA IT security staff because they\nwould have to manually remediate vulnerabilities. We agree with the Agency that remediating\nvulnerabilities would initially increase the workload of EPA IT security staff. However, this\nincrease in workload would decrease over time once the Agency becomes more familiar with the\nvulnerability management tool. We believe this short-term increase in workload would put EPA\nin a better position to more quickly remediate high risk vulnerabilities and provide better\nprotection of critical network resources once a vulnerability remediation process is in place.\nNational Institute of Standards and Technology (NIST) Special Publication 800-123, Guide to\nGeneral Server Security, states that scanning should occur on a weekly to monthly basis. NIST\nstresses that this ongoing scanning is extremely important for mitigating vulnerabilities as soon\nas possible to prevent vulnerabilities from being discovered and exploited.\n\nVulnerability Management Project Needs an Interim Solution and\nStakeholder Involvement\n\nAs OEI progressed with the project, automating the remediation process became increasingly\ndifficult. With the exception of common network services, EPA operates a decentralized managed\nnetwork. Hardware and software component configurations vary by EPA location. Calibrating a\nvulnerability management tool that can remediate vulnerabilities on a variety of hardware and\nsoftware configurations across EPA\xe2\x80\x99s decentralized network presents a major challenge. As such,\nproviding an interim solution to identify vulnerabilities until an automated solution is available\nwould provide EPA offices with:\n\n    \xe2\x80\xa2   A consistent approach to monitoring their networks continuously.\n    \xe2\x80\xa2   A means to provide feedback to help configure the automated remediation component of\n        the VMP.\n    \xe2\x80\xa2   A means to transition to new vulnerability management components when they become\n        available.\n\nFurther, establishing a formal centralized oversight structure would help ensure that management\nhas in place a repeatable and documented practice. This practice would provide much needed\nconsistency and structure to network vulnerability testing and remediation. However, EPA did\nnot provide offices with an interim solution for conducting continuous monitoring of their\nnetwork resources. During our visits to five EPA offices, we confirmed that they do not\nregularly and consistently test their networks for vulnerabilities.\n\nWe asked employees involved in the project about this and other issues that were delaying the\nproject\xe2\x80\x99s completion. We requested information on actions taken by EPA to address these\nissues. We further asked for the planned project completion date, project budget data, and status\nof key milestones. However, as of August 6, 2009, EPA management had not provided the\ninformation related to our request.\n\nIn addition, during interviews with EPA employees involved in the project, it came to our\nattention that conditions existed that suggest management could have taken more steps to prepare\nstakeholders for the new VMP. For example, the Project Manager indicated that EPA\nmanagement did not establish a workgroup composed of key stakeholders from the various EPA\n\n\n\n                                                4\n\x0c                                                                                          09-P-0240\n\n\nprograms and regional offices. Also, IT security personnel who were involved in the pilot\nindicated they would need to receive additional training to ease the implementation of the\nvulnerability management program associated with this project.\n\nAs of August 6, 2009, EPA provided a partial work plan, which included only the pilot phase of\nthe project, to implement an Agency-wide VMP. A review of this work plan shows that EPA\nplanned to complete the pilot phase of this project in February 2009. Nevertheless, the work\nplan does not provide information on when EPA plans to have an Agency-wide VMP in place.\nAs of August 6, 2009, EPA did not provide information on the steps it took to address the delays\nin implementing the VMP.\n\nAs a result of our audit, OEI issued a memorandum on August 3, 2009, to remind applicable\nAgency personnel of their vulnerability scanning/remediation responsibilities and to point them\nto available resources to assist in fulfilling these responsibilities. However, the information and\ndocumentation referenced within the memorandum needs to be revised to reflect the latest\nrevision of NIST Special Publication 800-53, as well as the latest minimum standard for time\nbetween the periodic vulnerability scanning/remediation. The memorandum indicated that the\ntime between periodic vulnerability scanning and remediation is not to exceed one quarter.\nHowever, NIST guidance states that scanning should occur on a weekly to monthly basis.\nAdditionally, NIST also states periodic scans should be performed using two different tools\nbecause no scanner is able to detect all known vulnerabilities.\n\nAdditionally, although the memorandum references available resources to assist Agency\npersonnel in fulfilling their vulnerability scanning/remediation responsibilities, OEI made\ndisclaimer statements regarding licensing limitations and resource availability associated with\nthe resources/tools they were offering. We believe this disclaimer indicates a lack of\nmanagement commitment and support for establishing an effective vulnerability management\nprogram within EPA.\n\nDue to the datedness and vagueness of the memorandum and the lack of resources and necessary\nlicenses for the tools implied by the disclaimer, we added Recommendation 5 to the\n\xe2\x80\x9cRecommendations\xe2\x80\x9d section below.\n\nRecommendations\n\nWe recommend that the Director, Office of Technology Operations and Planning, within the\nOffice of Environmental Information:\n\n       1. Create Plans of Action and Milestones (POA&Ms) for each unimplemented audit\n          recommendation listed in Appendix B.\n\n       2. Update EPA\xe2\x80\x99s Management Audit Tracking System to show the status of each\n          unimplemented audit recommendation listed in Appendix B.\n\n       3. Provide EPA program and regional offices with an interim solution for vulnerability\n          management. This should include establishing a centralized oversight process to\n\n\n                                                 5\n\x0c                                                                                          09-P-0240\n\n\n          ensure that EPA program and regional offices (a) regularly test their computer\n          networks for vulnerabilities, and (b) maintain files documenting the mitigation of\n          detected vulnerabilities.\n\n       4. Establish a workgroup of program and regional EPA IT staff (e.g., information\n          security officers, system administrators, etc.) to solicit input on training needs and\n          facilitate the rollout of the Agency-wide vulnerability management program.\n\n       5. Issue an updated memorandum that:\n\n          a. Reflects the current version of NIST Special Publication 800-53.\n          b. Requires continuous scanning/remediation on at least a monthly basis.\n          c. Requires continuous scanning/remediation be performed using two tools\n             concurrently.\n          d. Specifies what tools and resources OEI can actually provide to help the applicable\n             personnel fulfill these responsibilities and what the applicable organizations will\n             have to obtain on their own to perform these responsibilities.\n\nAgency Comments and OIG Evaluation\n\nWithin its July 30, 2009, response to the draft report, OEI agreed with the findings and\nrecommendations. OEI did not provide an updated status on the recommendations identified in\nAppendix B with their response. We added an additional column to the end of Appendix B in\nwhich we included the information we obtained from the Automated Security Self-Evaluation\nand Remediation Tracking (ASSERT) system as of August 6, 2009. However, OEI indicated it\nwould create POA&Ms for all of the report\xe2\x80\x99s recommendations.\n\nAppendix C contains the Agency\xe2\x80\x99s complete response to our formal draft report.\n\n\n\n\n                                                 6\n\x0c                                                                                                                                               09-P-0240\n\n\n\n                                  Status of Recommendations and\n                                    Potential Monetary Benefits\n\n                                                                                                                                     POTENTIAL MONETARY\n                                                     RECOMMENDATIONS                                                                  BENEFITS (in $000s)\n\n                                                                                                                         Planned\n    Rec.    Page                                                                                                        Completion   Claimed    Agreed To\n    No.      No.                          Subject                            Status1         Action Official               Date      Amount      Amount\n\n     1        5     Create Plans of Action and Milestones (POA&Ms)             O            Director, Office of\n                    for each unimplemented audit recommendation                        Technology Operations and\n                    listed in Appendix B.                                              Planning, within the Office of\n                                                                                        Environmental Information\n\n     2        5     Update EPA\xe2\x80\x99s Management Audit Tracking System              O            Director, Office of\n                    to show the status of each unimplemented audit                     Technology Operations and\n                    recommendation listed in Appendix B.                               Planning, within the Office of\n                                                                                        Environmental Information\n\n     3        5     Provide EPA program and regional offices with an           O            Director, Office of\n                    interim solution for vulnerability management. This                Technology Operations and\n                    should include establishing a centralized oversight                Planning, within the Office of\n                    process to ensure that EPA program and regional                     Environmental Information\n                    offices (a) regularly test their computer networks for\n                    vulnerabilities, and (b) maintain files documenting\n                    the mitigation of detected vulnerabilities.\n\n     4        6     Establish a workgroup of program and regional              O            Director, Office of\n                    EPA IT staff (e.g., information security officers,                 Technology Operations and\n                    system administrators, etc.) to solicit input on                   Planning, within the Office of\n                    training needs and facilitate the rollout of the                    Environmental Information\n                    Agency-wide vulnerability management program.\n\n\n     5        6    Issue an updated memorandum that:                           O            Director, Office of\n                      a. Reflects the current version of NIST Special                  Technology Operations and\n                         Publication 800-53.                                           Planning, within the Office of\n                                                                                        Environmental Information\n                      b. Requires continuous scanning/remediation\n                         on at least a monthly basis.\n                      c. Requires continuous scanning/remediation\n                         be performed using two tools concurrently.\n                      d. Specifies what tools and resources OEI can\n                         actually provide to help the applicable\n                         personnel fulfill these responsibilities and\n                         what the applicable organizations will have to\n                         obtain on their own to perform these\n                         responsibilities.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                   7\n\x0c                                                                                  09-P-0240\n\n\n                                                                                Appendix A\n\n               Status of Agreed-to Recommendations\n\n                                                                         Recommendations\n                                                                            Completed\n                                                        Recommendation\n                  Report Title/Number                       Number        Yes        No\nEPA\xe2\x80\x99s Administration of Network Firewalls Needs              2-1                     X\nImprovement                                                  3-1           X\n(Report No. 2004-P-00013)                                    3-2                     X\n\nSecurity Configuration and Monitoring of EPA\xe2\x80\x99s Remote        2-1                     X\nAccess Methods Need Improvement                              2-2                     X\n(Report No. 2005-P-00011)                                    2-3                     X\n                                                             2-4                     X\n                                                             2-5                     X\n                                                             3-1           X\n                                                             3-2           X\n\nEPA Could Improve Processes for Managing Contractor          2-1                     X\nSystems and Reporting Incidents                              2-2           X\n(Report No. 2007-P-00007)\n                                                             2-3           X\n                                                             3-1           X\n                                                             3-2           X\n                                                             3-3           X\n                                                             3-4           X\n\n\nAudit of EPA\xe2\x80\x99s Fiscal 2007 and 2006 (Restated)                12                     X\nConsolidated Financial Statements                             13                     X\n(Report No. 08-1-0032)                                        14           X\n                                                              15                     X\n                                                              16           X\n                                                              17           X\n                                                              18                     X\n                                                              19           X\n                                                              20           X\n                                                              21           X\n\nNumber Completed/Not Completed                                             15        12\nPercentage Completed/Not Completed                                        56%       44%\nSource: OIG analysis\n\n\n\n\n                                                  8\n\x0c                                                                                                                              09-P-0240\n\n\n\n\n                                                                                                                          Appendix B\n\n\n                            Status of Unimplemented Recommendations\n                                                                                  Requested Updated Status\n                                                                                       from Agency \xe2\x80\x93                ASSERT POA&M\n                                                                                 Agency Provided No Updated         Information as of\n   Report Title/Number         Recommendation               Action Needed         Status as of June 23, 2009         August 6, 2009\n\nEPA\xe2\x80\x99s Administration of     2-1 Develop and             Complete the             Planned implementation date     The POA&M in ASSERT\nNetwork Firewalls Needs     implement a standard        implementation of        for both actions was August     indicates that this\nImprovement                 configuration requirement   \xe2\x80\x9cproxy\xe2\x80\x9d servers for      2008. As of February 9, 2009,   Milestone Status is\n(Report No. 2004-P-00013)   for adequately securing     remote access to         EPA updated the POA&M in        Completed. The OMB\n                            workstations used to        firewall consoles.       the ASSERT system with a        Comment does not\n                            remotely administer                                  new completion date of          appear to corroborate\n                            network firewalls.          Management approval      March 31, 2009.                 the milestone status.\n                                                        and issuance of the                                      The OMB Comment\n                                                        procedure developed                                      states that the review\n                                                        for granting access to                                   was completed and\n                                                        firewall consoles.                                       modifications are being\n                                                                                                                 made to access methods\n                                                                                                                 based on outcome.\n\n\n                            3-2 Modify the network      Implement regular        Planned implementation date     Current revised\n                            vulnerability assessment    vulnerability scanning   was September 2008. As of       completion date is\n                            methodology to include      of security              February 9, 2009, EPA updated   September 30, 2009.\n                            scanning of all firewall    infrastructure.          the POA&M in the ASSERT\n                            components (e.g.,                                    system with a new completion\n                            workstations,                                        date of March 31, 2009.\n                            management consoles,\n                            and enforcement point\n                            servers).\n\n\n\n\n                                                                    9\n\x0c                                                                                                                                    09-P-0240\n\n\n\n\n                                                                                     Requested Updated Status\n                                                                                          from Agency \xe2\x80\x93                  ASSERT POA&M\n                                                                                    Agency Provided No Updated           Information as of\n   Report Title/Number          Recommendation               Action Needed           Status as of June 23, 2009           August 6, 2009\n\nSecurity Configuration and   2-1 Establish processes     Put formal processes in    EPA management has not            Current revised\nMonitoring of EPA\xe2\x80\x99s Remote   and assign accountability   place and formally         provided a complete project       completion date is\nAccess Methods Need          for independently verify    assign accountability      plan that includes the actions    August 31, 2009.\nImprovement                  and validate that           for independently          to be taken and the estimated\n(Report No. 2005-P-00011)    Web-Mail and BlackBerry     verifying and validating   or planned milestone dates\n                             servers comply with         that Web-Mail servers      for completing the actions\n                             published EPA policies      comply with published      necessary to address the\n                             and standards.              EPA policies and           recommendation.\n                                                         standards.                 Implementation date depends\n                                                                                    on the results of the ongoing\n                                                                                    vulnerability management pilot\n                                                                                    program. Based on a May\n                                                                                    2008 interview with the\n                                                                                    project\xe2\x80\x99s technical lead, the\n                                                                                    planned completion date for the\n                                                                                    pilot program is March 2009.\n\n\n\n\n                                                                    10\n\x0c                                                                                                                                09-P-0240\n\n\n\n\n                                                                                 Requested Updated Status\n                                                                                      from Agency \xe2\x80\x93                  ASSERT POA&M\n                                                                                Agency Provided No Updated           Information as of\nReport Title/Number      Recommendation                 Action Needed            Status as of June 23, 2009           August 6, 2009\n\n                      2-2 Develop and               Implement an Agency-        EPA management has not            Current revised\n                      implement a security-         wide vulnerability          provided a complete project       completion date is\n                      monitoring program that       management program          plan that includes the actions    August 31, 2009.\n                      includes testing all          that includes registering   to be taken and the estimated\n                      servers, and require all      and testing all servers     or planned milestone dates\n                      system administrators to      on a regular basis (in      for completing the actions\n                      register their servers with   compliance with             necessary to address the\n                      NTSD and participate in       Federal and Agency          recommendation.\n                      the security-monitoring       Regulations, Policies,      Implementation date depends\n                      program.                      Procedures, and             on the results of the ongoing\n                                                    Standards),                 vulnerability management pilot\n                                                    remediating the             program. Based on a May\n                                                    vulnerabilities in a        2008 interview with the\n                                                    timely manner.              project\xe2\x80\x99s technical lead, the\n                                                                                planned completion date for the\n                                                                                pilot program is March 2009.\n\n\n\n\n                                                                11\n\x0c                                                                                                                          09-P-0240\n\n\n\n\n                                                                           Requested Updated Status\n                                                                                from Agency \xe2\x80\x93                  ASSERT POA&M\n                                                                          Agency Provided No Updated           Information as of\nReport Title/Number      Recommendation              Action Needed         Status as of June 23, 2009           August 6, 2009\n\n                      2-3 Expand the Agency\xe2\x80\x99s    Implement processes      EPA management has not            Current revised\n                      security-monitoring        and utilize tools to     provided a complete project       completion date is\n                      program to include using   support Agency-wide      plan that includes the actions    August 31, 2009.\n                      a variety of network       vulnerability scanning   to be taken and the estimated\n                      vulnerability scanning     of critical network.     or planned milestone dates\n                      tools to monitor                                    for completing the actions\n                      registered servers.                                 necessary to address the\n                                                                          recommendation.\n                                                                          Implementation date depends\n                                                                          on the results of the ongoing\n                                                                          vulnerability management pilot\n                                                                          program. Based on a May\n                                                                          2008 interview with the\n                                                                          project\xe2\x80\x99s technical lead, the\n                                                                          planned completion date for the\n                                                                          pilot program is March 2009.\n\n\n\n\n                                                            12\n\x0c                                                                                                                            09-P-0240\n\n\n\n\n                                                                             Requested Updated Status\n                                                                                  from Agency \xe2\x80\x93                  ASSERT POA&M\n                                                                            Agency Provided No Updated           Information as of\nReport Title/Number      Recommendation              Action Needed           Status as of June 23, 2009           August 6, 2009\n\n                      2-4 Establish and          Establish and              EPA management has not            Current revised\n                      implement a process to     implement a process to     provided a complete project       completion date is\n                      ensure program and         ensure program and         plan that includes the actions    August 31, 2009.\n                      regional offices conduct   regional offices conduct   to be taken and the estimated\n                      regular security           regular security           or planned milestone dates\n                      monitoring that includes   monitoring that includes   for completing the actions\n                      vulnerability scanning.    vulnerability scanning.    necessary to address the\n                                                                            recommendation.\n                                                                            Implementation date depends\n                                                                            on the results of the ongoing\n                                                                            vulnerability management pilot\n                                                                            program. Based on a May\n                                                                            2008 interview with the\n                                                                            project\xe2\x80\x99s technical lead, the\n                                                                            planned completion date for the\n                                                                            pilot program is March 2009.\n\n\n                      2-5 Develop and publish    Develop and publish        EPA has not provided a            EPA has not established\n                      standards that define      standards that define      planned implementation date       a POA&M to address this\n                      authorized open ports      authorized open ports      for the corrective actions        recommendation.\n                      and services for the       and services for the       associated with this\n                      Web-Mail and BlackBerry    Web-Mail and               recommendation.\n                      servers\xe2\x80\x99 Operating         BlackBerry servers\xe2\x80\x99\n                      System.                    Operating System and\n                                                 require Web-mail and\n                                                 BlackBerry servers to\n                                                 be single-purpose\n                                                 servers.\n\n\n\n\n                                                            13\n\x0c                                                                                                                                   09-P-0240\n\n\n\n\n                                                                                  Requested Updated Status\n                                                                                       from Agency \xe2\x80\x93                   ASSERT POA&M\n                                                                                 Agency Provided No Updated            Information as of\n   Report Title/Number          Recommendation              Action Needed         Status as of June 23, 2009            August 6, 2009\n\nEPA Could Improve            2-1 Develop and            Update Information       Planned implementation date        The POA&M in ASSERT\nProcesses for Managing       implement guidance that    Security Manual to       for both actions was               indicates that this\nContractor Systems and       EPA offices can use to     include procedures       September 18, 2008. As of          Milestone Status is\nReporting Incidents          identify contractor        EPA offices can use to   February 9, 2009, EPA updated      completed as of June 30,\n(Report No. 2007-P-00007)    systems that contain EPA   identify contractor      the POA&M in the ASSERT            2009. The OMB\n                             data.                      systems that contain     system with a new planned          Comment does not\n                                                        EPA data.                completion date of April 10,       corroborate the\n                                                                                 2009.                              milestone status. The\n                                                                                                                    OMB Comment states\n                                                                                                                    that contractual and\n                                                                                                                    resource ability to review\n                                                                                                                    draft documents have\n                                                                                                                    delayed this activity.\n\n\n\nAudit of EPA\xe2\x80\x99s Fiscal 2007   12 Develop a               Conduct a test of the    As of the end of the Fiscal Year   The OIG will track EPA\xe2\x80\x99s\nand 2006 (Restated)          contingency plan for       two newly developed      2008 financial statement audit,    progress in completing\nConsolidated Financial       BRAINS and mLINQS.         contingency plans.       EPA had not completed the          this recommendation\nStatements                   The plans should be                                 corrective actions associated      during Fiscal Year\n(Report No. 08-1-0032)       approved by                                         with this recommendation. The      2009\xe2\x80\x99s annual financial\n                             management and have                                 OIG will track EPA\xe2\x80\x99s progress      statement audit.\n                             documented annual                                   in completing this\n                             reviews and testing.                                recommendation during the\n                                                                                 annual financial statement\n                                                                                 audit.\n\n\n\n\n                                                                   14\n\x0c                                                                                                                        09-P-0240\n\n\n\n\n                                                                           Requested Updated Status\n                                                                                from Agency \xe2\x80\x93                ASSERT POA&M\n                                                                          Agency Provided No Updated         Information as of\nReport Title/Number      Recommendation               Action Needed        Status as of June 23, 2009         August 6, 2009\n\n                      13 Develop a security        Finalize the           As of the end of the Fiscal     The OIG will track EPA\xe2\x80\x99s\n                      plan for BRAINS and          independent reviews    Year 2008 financial statement   progress in completing\n                      mLINQS. This should          and updated security   audit, EPA had not completed    this recommendation\n                      include having both          plans.                 the corrective actions          during Fiscal Year\n                      applications comply with                            associated with this            2009\xe2\x80\x99s annual financial\n                      all the federal security                            recommendation. The OIG will    statement audit.\n                      requirements specified by                           track EPA\xe2\x80\x99s progress made in\n                      the National Institute for                          completing this\n                      Standards and                                       recommendation during the\n                      Technology, including                               annual financial statement\n                      completion of the security                          audit.\n                      certification and\n                      accreditation process and\n                      the resulting formal\n                      authorization to operate.\n\n\n                      15 Enter Plans of Action     Update ASSERT as       As of the end of the Fiscal     The OIG will track EPA\xe2\x80\x99s\n                      and Milestones for all the   POA&Ms change.         Year 2008 financial statement   progress in completing\n                      above noted deficiencies                            audit, EPA had not completed    this recommendation\n                      in the Agency\xe2\x80\x99s security                            the corrective actions          during Fiscal Year\n                      weakness tracking                                   associated with this            2009\xe2\x80\x99s annual financial\n                      database (ASSERT).                                  recommendation. The OIG will    statement audit.\n                                                                          track EPA\xe2\x80\x99s progress in\n                                                                          completing this\n                                                                          recommendation during the\n                                                                          annual financial statement\n                                                                          audit.\n\n\n\n\n                                                              15\n\x0c                                                                                                                           09-P-0240\n\n\n\n\n                                                                              Requested Updated Status\n                                                                                   from Agency \xe2\x80\x93                ASSERT POA&M\n                                                                             Agency Provided No Updated         Information as of\nReport Title/Number      Recommendation                Action Needed          Status as of June 23, 2009         August 6, 2009\n\n                      18 Conduct and                Conduct and document     As of the end of the Fiscal     The OIG will track EPA\xe2\x80\x99s\n                      document an annual            an annual verification   Year 2008 financial statement   progress in completing\n                      verification and validation   and validation of        audit, EPA had not completed    this recommendation\n                      of implemented                implemented              the corrective actions          during the Fiscal Year\n                      procedures to ensure          procedures to ensure     associated with this            2009 financial statement\n                      controls are implemented      controls are             recommendation. Based on        audit.\n                      as intended and are           implemented as           EPA Management\xe2\x80\x99s October\n                      effective.                    intended and are         2008 response, EPA set\n                                                    effective.               December 31, 2008, as the\n                                                                             implementation date for this\n                                                                             recommendation.\n                                                                             The OIG will track EPA\xe2\x80\x99s\n                                                                             progress in completing this\n                                                                             recommendation during the\n                                                                             annual financial statement\n                                                                             audit.\n\n\n\n\n                                                               16\n\x0c                                                                                  09-P-0240\n\n\n                                                                              Appendix C\n\n\n         Agency Response to Draft Audit Report\n\n\n                                       Jul 30, 2009\n\n\n\nMEMORANDUM\n\n\n\nSUBJECT:      Response to Draft Audit Report Project No. OMS-FY08-0001, Project Delays\n              Prevent EPA from Implementing an Agency-Wide Vulnerability Management\n              Program\n\nFROM:         Vaughn Noga, Acting Director\n              Office of Technology Operations and Planning\n              and Acting Chief Technology Officer\n\nTO:           Rudolph M. Brevard, Director\n              Information Resources management Assessments\n              Office of Inspector General\n\nWe have completed our review of the OIG Draft Audit Report Project No. OMS-FY08-0001,\nProject Delays Prevent EPA from Implementing an Agency-Wide Vulnerability Management\nProgram and are providing the following comments to your recommendations:\n\n   1. Recommendation #1 \xe2\x80\x93 Create Plans of Action and Milestones for each unimplemented\n      audit recommendation listed in Appendix B.\n\n       Concur in part \xe2\x80\x93 Many of the unimplemented audit recommendations have been assigned\n       Plan of Action and Milestones (POA&Ms). For those recommendations that have not\n       been assigned POA&Ms, OEI will ensure they have been created. Additionally, OEI will\n       update its POA&Ms to reflect the milestones being identified in our current process\n       improvement planning activities. Estimated date of completion for initial planning is\n       August 31, 2009.\n\n   2. Recommendation #2 \xe2\x80\x93 Update the EPA\xe2\x80\x99s Management Audit Tracking System to show\n      the status of each unimplemented audit recommendation listed in Appendix B.\n\n       Concur \xe2\x80\x93 OEI will ensure EPA\xe2\x80\x99s Management Audit Tracking System (MATS) is\n       updated to show the status of each agreed upon, unimplemented audit recommendation\n       under its purview with in the limitations of the system. OEI recommends that OIG\n       continue to utilize the Automated System Security Evaluation and Remediation Tracking\n       (ASSERT) system to monitor status as MATS will be updated with the ASSERT\n       POA&M Task ID.\n\n\n                                            17\n\x0c                                                                                      09-P-0240\n\n\n\n\n      3. Recommendation #3 \xe2\x80\x93 Provide EPA Program and Regional offices with an interim\n         solution for vulnerability management. This should include establishing a\n         centralized oversight process to ensure that EPA Program and Regional offices\n         (1) regularly test their computer networks for vulnerabilities, and (2) maintain\n         files documenting the mitigation of detected vulnerabilities.\n\n         Concur \xe2\x80\x93 OEI will issue a memorandum to all Senior Information Officials, Information\n         Management Officials and Information Security Officers reminding them of their\n         responsibilities in accordance with the National Institute of Standards and Technology\n         (NIST) Special Publication 800-53 to periodically scan systems for vulnerabilities on a\n         continuous basis, implement appropriate remedial actions and what Agency and non-\n         Agency tools available/recommended for use e.g. the Test and Vulnerability Assessment\n         Lab (TVAL) and Nessus Vulnerability Scanner.\n\n         Additional oversight and compliance will be conducted on a continuous basis via the\n         Technology and Information Security Staff (TISS) Independent Verification and\n         Validation (IV&V) activities.\n\n      4. Establish a workgroup of program and regional EPA IT staff (e.g., information\n         security officers, system administrators etc.) to solicit input on training needs and\n         to facilitate the rollout of the Agency-wide vulnerability management program.\n\n         Concur \xe2\x80\x93 OEI will charter and manage a Patch and Vulnerability Group (PVG) in\n         accordance with NIST SP 800-40. This group will conduct a variety of functions in\n         support of the EVMP to include, but not limited to, identifying and ensuring the\n         implementation of role-based training requirements to appropriate Information\n         Technology (IT) personnel.\n\nThank you for giving us the opportunity to provide responses on this report. If there are any\nquestions concerning the provided information please contact Johnny E. Davis Jr. at 202-566-\n1025.\n\ncc:      Johnny E. Davis Jr.\n         Robin Gonzalez\n         Bill Boone\n\n\n\n\n                                               18\n\x0c                                                                                09-P-0240\n\n\n                                                                            Appendix D\n\n                                    Distribution\n\nOffice of the Administrator\nActing Assistant Administrator for Environmental Information and Chief Information Officer\nActing Director, Office of Technology Operations and Planning\nDirector, Technology and Information Security Staff\nDirector, National Computer Center\nChief, Security and Business Management Branch, National Computer Center\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nAudit Follow-up Coordinator, Office of Environmental Information\nActing Inspector General\n\n\n\n\n                                             19\n\x0c'